Skip to main content
SpringerLink
Log in

Security in Software-Defined Networking: Threats and Countermeasures

  • Published:
Mobile Networks and Applications Aims and scope Submit manuscript

Abstract

In recent years, Software-Defined Networking (SDN) has been a focus of research. As a promising network architecture, SDN will possibly replace traditional networking, as it brings promising opportunities for network management in terms of simplicity, programmability, and elasticity. While many efforts are currently being made to standardize this emerging paradigm, careful attention needs to be also paid to security at this early design stage. This paper focuses on the security aspects of SDN. We begin by discussing characteristics and standards of SDN. On the basis of these, we discuss the security features as a whole and then analyze the security threats and countermeasures in detail from three aspects, based on which part of the SDN paradigm they target, i.e., the data forwarding layer, the control layer and the application layer. Countermeasure techniques that could be used to prevent, mitigate, or recover from some of such attacks are also described, while the threats encountered when developing these defensive mechanisms are highlighted.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4

Similar content being viewed by others

References

  1. Chen M, Zhang Y, Li Y, Mao S, Leung V (2015) EMC: emotion-aware mobile cloud computing in 5G. IEEE Netw 29(2):32–38

    Article  Google Scholar 

  2. Wan J, Yan H, Suo H, Li F (2011) Advances in cyber-physical systems research. KSII Trans Internet Inf Syst 5(11):1891–1908

    Google Scholar 

  3. Suo H, Liu Z, Wan J, Zhou K (2013) Security and privacy in mobile cloud computing. In: Proceedings of the 9th IEEE International Wireless Communications and Mobile Computing Conference, Cagliari, Italy

  4. Cisco Inc. (2013) Software-defined networking: why we like it and how we are building on it. White Paper

  5. McKeown N, Anderson T, Balakrishnan H, Parulkar G, Peterson L, Rexford J, Turner J (2008) OpenFlow: enabling innovation in campus networks. ACM SIGCOMM Comput Commun Rev 38(2):69–74

    Article  Google Scholar 

  6. Liu J, Li Y, Chen M, Dong W, Jin D (2015) Software-defined internet of things for smart urban sensing. IEEE Commun Mag 53(9):55–63

    Article  Google Scholar 

  7. Hong CY, Kandula S, Mahajan R, Zhang M, Gill V, Nanduri M, Wattenhofer R (2013) Achieving high utilization with software-driven WAN. ACM SIGCOMM Comput Commun Rev 43(4):15–26

    Article  Google Scholar 

  8. Google Inc. (2012) Inter-datacenter WAN with centralized TE using SDN and OpenFlow. Open Network Submit

  9. Jain S, Kumar A, Mandal S, Ong J, Poutievski L, Singh A, Venkata S, Wanderer J, Zhou J, Zhou M, Zolia J, Hölzle U, Stuart S, Vahdat A (2013) B4: experience with a globally-deployed software defined WAN. In: Proceedings of the ACM SIGCOMM, pp 3–14

  10. VMware NSX. [Online] http://www.vmware.com/products/nsx/

  11. Nuage Networks VSP. [Online] http://www.nuagenetworks.net/products/virtualized-services-platform/

  12. Ahmad I, Namal S, Ylianttila M, Gurtov A (2015) Security in software defined networks: a survey. IEEE Commun Surv Tutorials 17(4):2317–2346

    Article  Google Scholar 

  13. Zhang H (2014) A vision for cloud security. Netw Secur 2014(2):12–15

    Article  Google Scholar 

  14. Benton K, Camp L J, Small C (2013) Openflow vulnerability assessment. In: Proceedings of the second ACM SIGCOMM workshop on Hot topics in software defined networking, pp 151–152

  15. Scott-Hayward S, O’Callaghan G, Sezer S (2013) Sdn security: a survey. In: IEEE SDN Future Networks and Services (SDN4FNS), pp 1–7

  16. Pan P, Nadeau T (2011) Software driven networks problem statement. IETF Internet-Draft

  17. Floodlight controller documentation for developers [Online]. Available: http://www.projectfloodlight.org/floodlight/

  18. Gude N, Koponen T, Pettit J, Pfaff B, Casado M, McKeown N, Shenker S (2008) NOX: towards an operating system for networks. ACM SIGCOMM Comput Commun Rev 38(3):105–110

    Article  Google Scholar 

  19. OpenDaylight.[Online]. Available: http://www.opendaylight.org

  20. Kreutz D, Ramos FM, Esteves Verissimo P, Esteve Rothenberg C, Azodolmolky S, Uhlig S (2015) Software-defined networking: a comprehensive survey. Proc IEEE 103(1):14–76

    Article  Google Scholar 

  21. Lara A, Kolasani A, Ramamurthy B (2014) Network innovation using openflow: a survey. IEEE Commun Surv Tutorials 16(1):493–512

    Article  Google Scholar 

  22. Bernardo DV (2014) Software-defined networking and network function virtualization security architecture. Internet Engineering Task Force. [Online]. Available: https://tools.ietf.org/html/ draft-bernardo-sec-arch- sdnnvfarchitecture-00

  23. Yang M, Li Y, Jin D, Zeng L, Wu X, Vasilakos A (2015) Software-defined and virtualized future mobile and wireless networks: a survey. ACM/Springer Mob Netw Appl 20(1):4–18

    Article  Google Scholar 

  24. Yuan W, Deng P, Taleb T, Wan J, Bi C (2015) An unlicensed taxi identification model based on big data analysis. IEEE Trans Intell Transp Syst. doi:10.1109/TITS.2015.2498180

    Google Scholar 

  25. Jing Q, Vasilakos A, Wan J, Lu J, Qiu D (2014) Security of the internet of things: perspectives and challenges. Wirel Netw 20(8):2481–2501

    Article  Google Scholar 

  26. Namal S, Ahmad I, Gurtov A, Ylianttila M (2013) SDN based inter-technology load balancing leveraged by flow admission control. In: IEEE SDN for Future Networks and Services (SDN4FNS), pp 1–5

  27. Dierks T (2008) The transport layer security (TLS) protocol version 1.2 [Online]. Available: http://tools.ietf.org/html/rfc5246

  28. Wasserman M, Hartman S (2013) Security analysis of the open networking foundation (ONF) OpenFlow switch specification. Internet Engineering Task Force. [Online]. Available: https://tools.ietf.org/html/ draft-mrw-SDNec-openflow-analysis-02

  29. Al-Shaer E, Al-Haj S (2010) FlowChecker: configuration analysis and verification of federated OpenFlow infrastructures. In: Proceedings of the 3rd ACM Workshop on Assurable and Usable Security Configuration, pp 37–44

  30. Porras P, Shin S, Yegneswaran V, Fong M, Tyson M, Gu G (2012) A security enforcement kernel for OpenFlow networks. In: Proceedings of the First Workshop on Hot Topics in Software Defined Networks, pp 121–126

  31. Khurshid A, Zhou W, Caesar M, Godfrey P (2012) Veriflow: verifying network-wide invariants in real time. ACM SIGCOMM Comput Commun Rev 42(4):467–472

    Article  Google Scholar 

  32. Fonseca P, Bennesby R, Mota E, Passito A (2012) A replication component for resilient OpenFlow-based networking. In: IEEE Network Operations and Management Symposium (NOMS), pp 933–939

  33. Sherwood R, Gibb G, Yap K K, Appenzeller G, Casado M, McKeown N, Parulkar G (2009) Flowvisor: a network virtualization layer. OpenFlow Switch Consortium, Tech. Rep

  34. Yao G, Bi J, Xiao P (2011) Source address validation solution with OpenFlow/NOX architecture. In: 19th IEEE International Conference on Network Protocols (ICNP), pp 7–12

  35. Braga R, Mota E, Passito A (2010) Lightweight DDoS flooding attack detection using NOX/OpenFlow. In: IEEE 35th Conference on Local Computer Networks (LCN), pp 408–415

  36. Nayak A K, Reimers A, Feamster N, Clark R (2009). Resonance: dynamic access control for enterprise networks. In: Proceedings of the 1st ACM Workshop on Research on Enterprise Networking, pp 11–18

  37. Shin S, Yegneswaran V, Porras P, Gu G (2013) Avant-guard: scalable and vigilant switch flow management in software-defined networks. In: Proceedings of the 2013 ACM SIGSAC Conference on Computer & Communications Security, pp 413–424

  38. Wang H, Xu L, Gu G (2015) FloodGuard: a dos attack prevention extension in software-defined networks. In: 45th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN), pp 239–250

  39. Lim S, Ha J I, Kim H, Kim Y, Yang S (2014) A SDN-oriented DDoS blocking scheme for botnet-based attacks. In: IEEE Sixth International Conference on Ubiquitous and Future Networks (ICUFN), pp 63–68

  40. IETF Locator/ID Separation Protocol (LISP) [Online]. Available: http://datatracker.ietf.org/wg/lisp/

  41. Suh J, Choi H G, Yoon W, You T, Kwon T, Choi Y (2010) Implementation of a Content-Oriented Networking Architecture (CONA): a focus on DDoS Countermeasure. In: Proceedings of European NetFPGA Developers Workshop

  42. Scott-Hayward S (2015) Design and deployment of secure, robust, and resilient SDN Controllers. In: 1st IEEE Conference on Network Softwarization (NetSoft), pp 1–5

  43. Li H, Li P, Guo S, Nayak A (2014) Byzantine-resilient secure software-defined networks with multiple controllers in cloud. IEEE Trans Cloud Comput 2(4):436–447

    Article  Google Scholar 

  44. Phemius K, Bouet M, Leguay J (2014) Disco: distributed multi-domain sdn controllers. In: IEEE Network Operations and Management Symposium (NOMS), pp 1–4

  45. Big Switch Inc. (2012) Developing floodlight modules. floodlight OpenFlow controller Tech. Rep.

  46. Advanced message queuing protocol. [Online]. Available: http://www.amqp.org

  47. Voellmy A, Wang J (2012) Scalable software defined network controllers. In: Proceedings of the ACM SIGCOMM 2012 Conference on Applications, Technologies, Architectures, and Protocols for Computer Communication, pp 289–290

  48. Tootoonchian A, Ganjali Y (2010) HyperFlow: a distributed control plane for OpenFlow. In: Proceedings of the 2010 Internet Network Management Conference on Research on Enterprise Networking. USENIX Association, pp 3–3

  49. Liu J et al (2016) Leveraging software-defined networking for security policy enforcement. Inf Sci 327:288–299

    Article  Google Scholar 

  50. Heller B, Sherwood R, McKeown N (2012) The controller placement problem. In: Proceedings of the First Workshop on Hot Topics in Software Defined Networks, ACM, pp 7–12

  51. Bari MF, Roy AR, Chowdhury SR, Zhang Q, Zhani MF, Ahmed R, Boutaba R (2013) Dynamic controller provisioning in software defined networks. In: 2013 9th IEEE International Conference on Network and Service Management (CNSM), pp 18–25

  52. Hock D, Hartmann M, Gebert S, Jarschel M, Zinner T, Tran-Gia P (2013) Pareto-optimal resilient controller placement in SDN-based core networks. In: 25th IEEE International Conference on Teletraffic Congress (ITC), pp 1–9

  53. Security-enhanced floodlight. [Online]. Available: http://www. sdncentral.com/education/toward-secure-sdn-controllayer/2013/10/

  54. Shin S, Porras P, Yegneswaran V, Fong M, Gu G, Tyson M (2013) FRESCO: Modular Composable Security Services for Software-Defined Networks. In : Proceedings of Network and Distributed Security Symposium, pp 1-16

  55. Shin S, Porras P, Yegneswaran V, Gu G (2013) A framework for integrating security services into software-defined networks. In: Proceedings of the 2013 Open Networking Summit (Research Track poster paper)

  56. Kreutz D, Ramos F, Verissimo P (2013) Towards secure and dependable software-defined networks. In: Proceedings of the Second ACM SIGCOMM Workshop on Hot Topics in Software Defined Networking, pp 55–60

  57. Wen X, Chen Y, Hu C, Shi C, Wang Y (2013) Towards a secure controller platform for openflow applications. In: Proceedings of the Second ACM SIGCOMM Workshop on Hot Topics in Software Defined Networking, pp 171–172

  58. Canini M, Venzano D, Peresini P, Kostic D, Rexford J (2012) A NICE way to test OpenFlow applications. In: Proceedings of the 9th USENIX Conference on Networked Systems Design and Implementation

  59. Skowyra R, Lapets A, Bestavros A, Kfoury A (2013) Verifiably-safe software-defined networks for CPS. In: Proceedings of the 2nd ACM International Conference on High Confidence Networked Systems, pp. 101–110

  60. Ball T, Bjmer N, Gember A, Itzhaky S, Karbyshev A, Sagiv M, Valadarsky A (2014) Vericon: towards verifying controller programs in software-defined networks. ACM SIGPLAN Not 49(6):282–293

    Article  Google Scholar 

  61. Son S, Shin S, Yegneswaran V, Porras P, Gu G (2013) Model checking invariant security properties in OpenFlow. In: 2013 I.E. International Conference on Communications (ICC), pp 1974–1979

  62. Mai H, Khurshid A, Agarwal R, Caesar M, Godfrey P, King S (2011) Debugging the data plane with anteater. ACM SIGCOMM Comput Commun Rev 41(4):290–301

    Article  Google Scholar 

  63. Kazemian P, Chan M, Zeng H, Varghese G, McKeown N, Whyte S (2013) Real time network policy checking using header space analysis. In: USENIX Symposium on Networked Systems Design and Implementation, pp 99–111

  64. Kazemian P, Varghese G, McKeown N (2012) Header space analysis: static checking for networks. In: USENIX Symposium on Networked Systems Design and Implementation NSDI, pp 113–126

  65. Wang J, Wang Y, Hu H, Sun Q, Shi H, Zeng L (2013) Towards a security-enhanced firewall application for openflow networks. In: Cyberspace Safety and Security, Springer International Publishing, pp. 92–103

Download references

Acknowledgments

This work was supported in part by the Fundamental Research Funds for the Central Universities (No. 2015ZZ079), the Natural Science Foundation of Jiangxi Province, China (No. 20151BAB207024), the Natural Science Foundation of Fujian Province, China (No. 2014J05045), the Natural Science Foundation of Guangdong Province, China (No. 2015A030308002), and the National Natural Science Foundation of China (Nos. 61262013, 61572220, 41401458, 61363011, and 51575194). Imran’s work is supported by the Deanship of Scientific Research at King Saud University through Research group No. (RG # 1435-051).

Author information

Authors and Affiliations

  1. Fujian Agriculture and Forestry University, Fuzhou, China

    Zhaogang Shu & Jiaxiang Lin

  2. South China University of Technology, Guangzhou, China

    Jiafu Wan & Di Li

  3. Lulea University of Technology, Luleå, Sweden

    Athanasios V. Vasilakos

  4. King Saud University, Riyadh, Saudi Arabia

    Muhammad Imran

Authors
  1. Zhaogang Shu
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Jiafu Wan
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Di Li
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Jiaxiang Lin
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Athanasios V. Vasilakos
    View author publications

    You can also search for this author in PubMed Google Scholar

  6. Muhammad Imran
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Jiafu Wan.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Shu, Z., Wan, J., Li, D. et al. Security in Software-Defined Networking: Threats and Countermeasures. Mobile Netw Appl 21, 764–776 (2016). https://doi.org/10.1007/s11036-016-0676-x

Download citation

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s11036-016-0676-x

Keywords

Search

Navigation